PhyData LLC, a medical billing and management company has announced the data breach of 1,500 people. A laptop computer with sensitive data was stolen from an employee. The presence of drive encryption software like AlertBoot was not mentioned in the media. This is, without a doubt, a HIPAA breach.

Stolen from the Mall

According to the tennessean.com, a laptop computer was stolen from the trunk of a PhyData employee's car at the RiverGate Mall on May 7. PhyData is a medical billing and management company, and the employee's laptop contained names, dates of birth, SSNs, and medical record numbers for patients of Advanced Diagnostic Imaging, Premier Radiology, and Anesthesia Services Associates (mostly those who visited the companies between January 2009 and December 2010).

Commentators at the tennessean.com are expressing not only disgust but doubt:

Stolen from the trunk. That alone sounds strange when detailing where the thief stole it and wasn't drawing any attention, from busting in the trunk. When the true story comes forward we will see the employee left it unattentive (sic). [truone]

Which resulted in this reply:

I agree. Taken from the trunk? Was there signage on the auto? Why would someone open a trunk with so many other cars around and possible property in view? This IS NOT the whole story on this one. Maybe the paper doesn't have all the info? This is a really poor article. [TNBikerChick]

Tin-Foil Hatters: Trunks are Broken into All the Time

I would have replied on the site, but it looks one has to register, so I'll just comment here on this blog: There is no conspiracy. Usually, when the trunk gets busted it's because the driver parked and then placed valuable items in the trunk, thinking that it'd be safer. Someone in the parking lot -- possibly thieves looking to catch people placing stuff in their trunks -- watches the driver from the moment he enters the garage and, once they're sure the driver won't be back, go to work. After all, if an item weren't valuable, why would anyone go through the effort of putting it in the trunk?

Yes, the trunk is the safer place to put valuables if you have to park your vehicle; however, a lot of this safety comes from the fact that trunks don't have windows. Thieves generally break into a car when they know they'll have something to show for their efforts. If they know that it's worth their time to break into a car's trunk, they'll do so.

And why not? Supposedly, a skilled thief can force open a car's trunk in less than a minute (by picking the lock). An unskilled thief can also break-in in less than a minute, although it involves breaking the driver's seat window and using the trunk release button.

HIPAA / HITECH Compliance

PhysData is a medical billing company. As such, I'm sure it's safe to assume that it is a covered-entity or business associate that needs to follow HIPAA regulations. As a covered-entity, it must comply with the Security Rule in HIPAA, where an individual's protected health information (PHI) must be protected.

One way to protect such data -- and the only one that is granted safe harbor in case PHI is lost or stolen -- is the use of encryption software. Was it used? Its use hasn't been revealed and the 1,500 patients are being notified of the breach, so it might not be a stretch to assume that medical data encryption for laptops wasn't used.

PhysData better have a good explanation for this if the employee was authorized to carry around the now-lost data. After all, any covered-entity is supposed to evaluate whether the use of encryption is warranted or not; if not, it must have a valid (and documented) reason why it decided not to.

(As a personal observation, I'm not aware of any valid reasons why PHI-laden laptops that are taken outside a hospital setting are allowed to remain unencrypted.)

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.